2019-09-21, 10:30–11:10 (Europe/Berlin), Cage
Testing the effectiveness of Kubernetes Network Policies can be done in different approaches. In this talk we will show you the benefits and drawbacks of different approaches and what solution we finally chose.
Probably everybody who uses Kubernetes in a productive environment with multiple users possibly has looked at policies. Often the operators of the cluster(s) just trust the policies but in some cases it might be useful to control if the policies actually have taken action and often there are just to many Policies in the cluster setup to manually test them all (and obviously you don’t want to do this). Testing the effectiveness of the Network Policies can be done in different approaches. In this talk we will show you the benefits and drawbacks of different approaches and what solution we finally chose. Also we will show you some other tools and how they complement our solution. As a takeaway you will get an overview of different testing strategies for policies, as well as understanding challenges in testing policies in general and the Kubernetes ecosystem. We will get a feeling that it’s not always the best idea to just trust other plugins to implement the policies correctly. Our solution is open-sourced under https://github.com/inovex/illuminatio/
Johannes Scheuermann has been working as a Cloud Platform Engineer at inovex since 2014. His daily work involves innovative technologies and topics all around the modern data center environment, like Kubernetes, immutable infrastructure and – quite obviously – cloud platforms. Amongst other things Johannes supported the construction of the waipu.tv platform for EXARING and multiple big Kubernetes platforms for 1&1 Internet (web.de, GMX etc.) in a leading role.
Maximilian Bischoff joined inovex as a Cloud Platform Engineer in 2018 and has since worked on topics such as testing kubernetes, edge computing and observability. He authored illuminatio, a tool for testing kubernetes network policies, as part of his master thesis.
Currently he is leading the implementation of istio on top of the Kubernetes platform of 1&1 Mail and Media (web.de, GMX, etc.).